Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Permalink for comment 563441
To read all comments associated with this story, please click here.
Comment by Nelson
by Nelson on Sat 1st Jun 2013 19:26 UTC
Member since:

Microsoft in 2010 on Google fully disclosing after a few days:

One of the main reasons we and many others across the industry
advocate for responsible disclosure is that the software vendor who
wrote the code is in the best position to fully understand the root
cause. While this was a good find by the Google researcher, it turns out
that the analysis is incomplete and the actual workaround Google
suggested is easily circumvented. In some cases, more time is required
for a comprehensive update that cannot be bypassed, and does not cause
quality problems.

Full disclosure time windows are a complicated matter and often things are not that cut and dry. I do agree with Full Disclosure, I'm just not sure what the amount of time should be that passes before a disclosure is made.

Reply Score: 6